While we rail on Apple for its closed and restrictive policies regarding its iOS, with Apple you at least know what you’re getting into. When you buy a mobile phone running Android, many do so because of its open and more free nature than the competing platforms – so you can imagine the surprise when the hackers at xda-developers found out the brand-new T-Mobile G2 has a hardware rootkit that will always restore the phone’s original operating system upon installing a different ROM. HTC says it doesn’t know of any such feature, and points towards the carrier (or Google).
So, the G2 is one of the top HTC Android devices at this point, and considered to be the successor to the G1 – the world’s first available Android phone. As such, the G2 kind of has a special place in the vast array of Android phones, but as it turns out, it doesn’t look like hackers are going to like the device.
After intense investigation and hackery by the hackers at xda developers, it was revealed that the G2 uses a special combination of hard and software to return the phone to its unrooted/unaltered state after a reboot when rooted/altered. At this point, the hackers aren’t entirely sure if it’s the hard or the software that does the trick. Basically, it appears that changes to the device’s system software are intercepted and written to a special part of the flash memory without actually altering the system software.
“I think it is basically like an overlay. The underlying files are from a read-only /system. Any changes get written to a separate place,” mlevin explains, “It sounds like it is a lot like Sandboxie (a Windows app that lets you create safe sandboxes). Any writes to your disk or registry get intercepted at a low level and end up written to another location, which you can later delete to make it as if the files were never written. It’s like a read-through cache but the writes don’t go back to the underlying location.”
The interesting thing here is that it’s unclear who’s fault this really is. You’d think HTC, but the Taiwanese phone maker claims it’s either Google or the carrier who’s to blame. “HTC is not aware of any Root Kit or Blocking feature on the G2. It is quite possible such a feature was added by Google or the Carrier,” the company states.
It wouldn’t surprise me in the least that this feature came from the carrier – which would mean the bulk of the “feature” consists of software (good news). Still, it’s sad that once again, the device you buy is actually not yours.
This is true. No matter how good the phone is, carriers will find a way to screw it up. I think Sprint might be a little better in this regard, but I really don’t want to have to stand in my front yard just to get a signal, so what can you do?
It shows once again that Android should have been core distribution not a per-vendor spagetti mash. Let the flashing utility include two files; one for the Android standard image and one for a smaller binary of device specific drivers. Ideally vendors should be putting the hardware drivers directly back into the stock Android distribution but I could accept the slipstreamed driver package if they’d at least stop with the malware infested one-off firmware images.
Why are you guys buying the phones from the carrier? Can’t you just buy the phone in a store and then just get the SIM card from the carrier?
Ha, you certainly don’t live in the US where the vast majority of phonse are only sold from the carrier and if you don’t go that way you are doomed (eg Nokia).
My suggestion is simpler, just don’t buy it, there are many android phones in the market.
Edited 2010-10-07 07:43 UTC
Correct, I certainly don’t. One of these days I should go to the mall and take a few pictures of the cellphone shops jampacked with carrier-neutral phones just to make you americans jealous.
Well.. If HTC were to blame(which i dont think so) that will be a really big shift from their previus policy… motorola on the other side, has a company policy of signed bootloader (they told us in the moto europe facebook page)… so i really hope is t-mobile doing.
I have a motorola milestone atm, and i bought not knowing about the signed bootloader, my next phone will be an HTC
WTF is a service provider doing making a device firmware image? I pay them for a network connection and expertise not there developer skills. This, assuming it is the telco’s firmware.
What, so read-only filesystems with a separate data store are something new now? You could have fooled me.
Stamping the base bios or os on a rom chip so it can’t be modified is nothing new at all. In a device branded as “tinker friendly” and open; it’s malware regardless of the method used to do it.
Most likely it’s how they mount the file systems, such that they are simply using a layered file system approach. Linux supports this without any problems.
Prime benefit is resistance to power-failure – you don’t have to worry about the changes in case the changes get corrupt.
So it’s probably a combination: checksum the file system to let the hardware know when to remove the changes, and then just use a layered file system set for normal operation.
T-Mobile is one of the more reasonable carriers in the US. My gf has a MyTouch Android device with Tmo, and they send out periodic magazines that highlight recommended Apps in the Android Markeplace. Some of the recommendations in the publication specifically mention needing to get root on your device before the app will run. Hard to imagine the same company crippling a phone to make this impossible.
Tmo will even unlock these devices if you ask them nicely. So let’s wait for the FUD to die down and figure out exactly what’s going on before blaming the “Carrier.”
I tried that once. Got a form letter that they couldn’t get the unlock code from the manufacturer.
Ended up just going to a 3rd party phone shop to unlock the phone.
Indeed, this is one of the reasons I switched from ATT to T-Mobile. I had been hesitant to switch for the longest time, because if you just go by their website they seem to have more expensive plans. After taking the plunge, I found this to be completely untrue; I’m paying less for three lines on a family account with unlimited messaging and internet on all three devices, than I did for two lines on ATT with limited messaging and internet on one line only. I think the difference is that you can work with their sales staff, whereas with ATT you pretty much have to take what they shove down your throat.
Combine that with the great selection of smartphones, the (so far) excellent customer service and their open stance towards devices and I’m very happy to be with T-Mobile.
Having said all that, I find this article to be disconcerting. I want to believe that Tmo is the consumer-friendly carrier I’ve found them to be over the last few months, but I wonder if they are like Apple in a way: Open and accepting of consumer driven initiatives in some ways, and very anti-consumer in others.
I wonder if this was done to make it possible to, no matter what has happened, reset the phone to its original rom? A layered fs would provide that nicely. Us techies may not like it, but I suspect this was put in for the convenience of the users. No matter what they do, what they install, or what they break, the phone can always be restored to a clean working state. Let’s think about this logically before crying conspiracy, okay? It makes a lot of sense from T-mobile’s point of view to do this, and would make it much easier to get peoples’ phones back up and running if they end up corrupted..
Yea, it’s a good security policy. Let’s remember we actually hack our devices to root them, those security vulnerabilities are often kept there for years because users don’t usually upgrade their phone if they don’t have a centralized interface like iTunes to push them. As good as I like taking advantages of my hardware, I saw too much of Windows viruses over the year to think about myself first.
I will never buy a device that have not been rooted first. I waited the day until the second gen iTouch was rooted until buying mine, same for my Nexus.
“No matter what they do, what they install, or what they break, the phone can always be restored to a clean working state.”
Yes, on non-smart phones, by removing the battery cover and pressing a pencil against a recessed button for five seconds, or shorting two pins, or some such. It isn’t going to happen by accident, or in secret when you power up. That is exactly *not* the case with the G2.
This maneuver by (who? Google? HTC? T-Mobile? someone else?) is dirty, at best. It’s yet another example of why the GPLv3 includes special language to prohibit Tivo-ization of embedded devices.
I read stories like this, and I’m so glad I don’t have a “smart” phone that thinks it can arrogate the authority to dictate to me what I can and can’t do.
Some might say it is better with the G2. Certainly better for tech support when they can simply say “Did you try rebooting your phone?”.
In any case, I’m not ready to cry foul play. It seems like a good feature for the other 99.5% of people out there who run stock firmware.
Exactly how is this a rootkit? Did the definition change overnight?
“Still, it’s sad that once again, the device you buy is actually not yours.”
Yes it is. You can do what you please with the phone… but HTC, Google and T-Mobile are under no obligation to provide you with any particular service if you wish to modify it or in this case to enable you to modify easily.
If you want an easily hacked phone buy the one marketed as such: the Nexus One.
But they also don’t have the right to block you from modifying your OWN device. Sure, they can kill support and kick you from their service (and even that is debatable in Europe), but they can’t prevent you. That’s dirty and evil.
There’s no evidence that they have. As other people have said, the main purpose of this layered file-system is to protect the data from accidental damage and to provide a reliable way to restore the phone to its original condition.
The fact that it makes custom modifications harder is probably an unfortunate side effect.
There’s nothing stopping you from taking a soldering iron or JTAG programmer to the device.
The Nexus One is no longer available. So where in the marketplace can one find an Android phone that to date does not go to lengths to block the user’s freedom?
Still, it’s sad that once again, the device you buy is actually not yours.
Slow down here for a moment. G2 is sold with contract, one of its “features” is provider lock. This “root-kit” is a way to enforce that lock which you signed for. This is your sane choise to buy locked phone, so what are your complaints? You sign a contract, you get what you signed for. Don’t like contract terms? Go and buy HTC Desire Z – same device, no contract.
Some might say it is hard to buy SIM free phone in US. Well, you have some options: ebay, EU online shops, your democracy. If you believe your country is democratic then change laws of your country, make these contracts outlaw.
US Democratic? I’m still laughing.
note: I’m in Europe.
Edited 2010-10-07 11:53 UTC
You are confusing issues. If you sign a contract you will abide by its terms.
One of the terms, is if you cancel early, you pay an early termination fee. That is purely a financial consideration. So, imagine I got my G2, paid the early termination fee – I’m in complete compliance with the terms of my contract. Why do you think I can’t do what I want, with my phone, that I bought, with my money?
Or, let says I get a G2, and one month later I decide I want a Samsung phone instead. I buy one off ebay. Why do you think I shouldn’t be able to unlock my G2 and sell it to ebay? I’m carrying the contract to full term, so why can’t I do what I want, with the phone that I own?
Stop confusing a contract, with a carrier lock.
Those carrier locks have nothing to do with your contract, and unlike your contract, they never expire.
Your 2g iPhone could be off contract for many years now, you could have upgraded to the 3g, the 3gs, and the iPhone 4 – and AT&T will never unlock that 2g iphone, not ever.
You must do it yourself.
I know a lot of people love big corporations – to each his own – but this is not about the contract – what enforces the contract, is the law. You owe what you owe, and believe me, they’ll make you pay. It has nothing to do with the phone being locked or unlocked.
They want to lock the phone to their carrier, so that even if you complete all the terms of your contract, anyone who ever comes across that phone, even the 10th owner of the phone, 20 years from now, still must subscribe to their network.
And that, my friend….defend all you want – is ABSURD.
Edited 2010-10-07 21:12 UTC
If you see a sign “Mine field” and still walk there it’s your own problem. Everyone knows that operator contracts are mine fields, but still people sign them and then complain about something. And this is totally absurd. Don’t be stupid, buy unlocked phones – there will be no problems.
I did not see the hackers page, but what if they change the SIM card ?
Once I bought a cell phone from my phone carrier, asked to unlock it and give it to my wife´s sister. When she put in the SIM card and powered the phone, it started to download and install a lot of programs of her carrier.
So, she ended with a device “customized” from the SIM card. I was annoyed and glad she was not borrowing the phone.
It’s actually a GOOD thing(tm). Rooting in that case is attained by escaping the jail. While it can be legitimate, it also allows unauthorized software to run as root (you know, stuff like viruses and friends)
An average user can here reboot the phone and not worry.
If you want to whine, then do it because they don’t give us a way to gain root access legitimately.
But that section can’t really be read-only right?
Surely it should be possible to upgrade the phone to the next version of Android when that is released. If the updater can change the read-only section, then it should be possible for the jail-breakers to change it as well. I doubt if it will take long to break this.